java.lang.Object
org.elasticsearch.xpack.security.authc.TokenService

public class TokenService extends Object
Service responsible for the creation, validation, and other management of UserToken objects for authentication
  • Field Details

    • THREAD_POOL_NAME

      public static final String THREAD_POOL_NAME
      See Also:
    • TOKEN_EXPIRATION

      public static final Setting<org.elasticsearch.core.TimeValue> TOKEN_EXPIRATION
    • DELETE_INTERVAL

      public static final Setting<org.elasticsearch.core.TimeValue> DELETE_INTERVAL
    • DELETE_TIMEOUT

      public static final Setting<org.elasticsearch.core.TimeValue> DELETE_TIMEOUT
    • MINIMUM_BASE64_BYTES

      public static final int MINIMUM_BASE64_BYTES
  • Constructor Details

  • Method Details

    • createOAuth2Tokens

      public void createOAuth2Tokens(Authentication authentication, Authentication originatingClientAuth, Map<String,Object> metadata, boolean includeRefreshToken, ActionListener<TokenService.CreateTokenResult> listener)
      Creates an access token and optionally a refresh token as well, based on the provided authentication and metadata with auto-generated values. The created tokens are stored in the security index for versions up to VERSION_TOKENS_INDEX_INTRODUCED and to a specific security tokens index for later versions.
    • createOAuth2Tokens

      public void createOAuth2Tokens(byte[] accessTokenBytes, @Nullable byte[] refreshTokenBytes, Authentication authentication, Authentication originatingClientAuth, Map<String,Object> metadata, ActionListener<TokenService.CreateTokenResult> listener)
      Creates an access token and optionally a refresh token as well from predefined values, based on the provided authentication and metadata. The created tokens are stored in the security index for versions up to VERSION_TOKENS_INDEX_INTRODUCED and to a specific security tokens index for later versions.
    • hashTokenString

      public static String hashTokenString(String accessTokenString)
      Hashes an access or refresh token String so that it can safely be persisted in the index. We don't salt the values as these are v4 UUIDs that have enough entropy by themselves.
    • getAuthenticationAndMetadata

      public void getAuthenticationAndMetadata(String token, ActionListener<org.elasticsearch.core.Tuple<Authentication,Map<String,Object>>> listener)
      Reads the authentication and metadata from the given token. This method does not validate whether the token is expired or not.
    • invalidateAccessToken

      public void invalidateAccessToken(String accessToken, ActionListener<TokensInvalidationResult> listener)
      This method performs the steps necessary to invalidate an access token so that it may no longer be used. The process of invalidation involves performing an update to the token document and setting the access_token.invalidated field to true
    • invalidateRefreshToken

      public void invalidateRefreshToken(String refreshToken, ActionListener<TokensInvalidationResult> listener)
      This method invalidates a refresh token so that it may no longer be used. Invalidation involves performing an update to the token document and setting the refresh_token.invalidated field to true
      Parameters:
      refreshToken - The string representation of the refresh token
      listener - the listener to notify upon completion
    • invalidateActiveTokens

      public void invalidateActiveTokens(@Nullable String realmName, @Nullable String username, @Nullable Predicate<Map<String,Object>> filter, ActionListener<TokensInvalidationResult> listener)
      Invalidates all access and refresh tokens for a given realmName and/or of a given username so that they may no longer be usable.
      Parameters:
      realmName - the realm of which the tokens should be invalidated
      username - the username for which the tokens should be invalidated
      filter - An optional Predicate to further test and filter the tokens to invalidate. The predicate tests the token doc source.
      listener - the listener to notify upon completion
    • refreshToken

      public void refreshToken(String refreshToken, ActionListener<TokenService.CreateTokenResult> listener)
      Called by the transport action in order to start the process of refreshing a token.
      Parameters:
      refreshToken - The refresh token as provided by the client
      listener - The listener to call upon completion with a TokenService.CreateTokenResult containing the serialized access token, serialized refresh token and authentication for which the token is created as these will be returned to the client
    • getTokenVersionCompatibility

      public TransportVersion getTokenVersionCompatibility()
    • isTokenServiceEnabled

      public static Boolean isTokenServiceEnabled(Settings settings)
    • getExpirationDelay

      public org.elasticsearch.core.TimeValue getExpirationDelay()
    • prependVersionAndEncodeAccessToken

      public String prependVersionAndEncodeAccessToken(TransportVersion version, byte[] accessTokenBytes) throws IOException, GeneralSecurityException
      Throws:
      IOException
      GeneralSecurityException
    • prependVersionAndEncodeRefreshToken

      public static String prependVersionAndEncodeRefreshToken(TransportVersion version, byte[] refreshTokenBytes) throws IOException
      Throws:
      IOException
    • getRandomTokenBytes

      public org.elasticsearch.core.Tuple<byte[],byte[]> getRandomTokenBytes(boolean includeRefreshToken)
    • getTokenMetadata

      public TokenMetadata getTokenMetadata()
      Returns the current in-use metdata of this TokenService